tests/krb5: Add tests presenting short-lived ticket in various scenarios

With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index a5b4d18b0512817722bda5728e7dea41a0734b36..171623cc5d71395bd835da5455ff0df3d113b3ff 100755 (executable)
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -47,6 +47,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_PREAUTH_REQUIRED,
     KDC_ERR_C_PRINCIPAL_UNKNOWN,
     KDC_ERR_S_PRINCIPAL_UNKNOWN,
+    KDC_ERR_TKT_EXPIRED,
     KDC_ERR_TGT_REVOKED,
     KRB_ERR_TKT_NYV,
     KDC_ERR_WRONG_REALM,
@@ -1668,6 +1669,39 @@ class KdcTgsTests(KdcTgsBaseTests):
         self._fast(tgt, creds, expected_error=KDC_ERR_GENERIC,
                    expect_edata=self.expect_padata_outer)
 
+    # Test with a TGT that has the lifetime of a kpasswd ticket (two minutes).
+    def test_tgs_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._run_tgs(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_renew_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, renewable=True)
+        tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
+        self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_validate_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, invalid=True)
+        tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
+        self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_s4u2self_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._s4u2self(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_user2user_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._user2user(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_fast_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._fast(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
     # Test user-to-user with incorrect service principal names.
     def test_user2user_matching_sname_host(self):
         creds = self._get_creds()

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index c00fc68ac12873672eb091977999441295fd8fd0..8386966ed9fda496f4449ae39afccc6fd7835f62 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -40,6 +40,11 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
 #
+# KDC TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
+#
 # https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
 #
 # The KDC should not accept tickets from an RODC for accounts not in the msDS-RevealedUsers list.

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 3686dd24f9b3c5638980ad97f7f166b69e763fe2..d600957388c943cfdbce85b08d9a591a3167bbad 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -194,6 +194,15 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
 #
+# KDC TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_kpasswd.ad_dc
+#
 # KDC TGS PAC tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required\(ad_dc\)